EXIDA (2013) The ICS Cybersecurity Lifecycle
EXIDA (2013) The ICS Cybersecurity Lifecycle

With the ever changing threats posed by cyber events of any nature, it has become critical to
recognize these emerging threats, malicious or not, and identify the consequences these threats
may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the
ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world’s largest exporter of crude oil, serves as a perfect example depicting how
devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi
Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better
known as the “Shamoon” virus. According to InformationWeek Security this was roughly 75
percent of the company’s workstations and took 10 days to complete clean-up efforts.i
The seriousness of cyber-attacks in regards to national security was addressed by former United
States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a
strong warning to business executives about cybersecurity as it relates to national security.” A
cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive
as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze
the nation,” he stated. “For example, we know that foreign cyber actors are probing America’s
critical infrastructure networks. They are targeting the computer control systems that operate
chemical, electricity and water plants and those that guide transportation throughout this
country.”ii
In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several
alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by
ABC News.iii
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS)
and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.

EXIDA (2013) The ICS Cybersecurity Lifecycle

EXIDA (2013) The ICS Cybersecurity Lifecycle